[Qemu-devel] [PATCH] nbd/client: Add hint when TLS is missing

[Qemu-devel] [PATCH] nbd/client: Add hint when TLS is missing

[Eric Blake]

I received an off-list report of failure to connect to an NBD server
expecting an x509 certificate, when the client was attempting something
similar to this command line:

$ ./x86_64-softmmu/qemu-system-x86_64 -name 'blah' -machine q35 -nodefaults \
  -object tls-creds-x509,id=tls0,endpoint=client,dir=$path_to_certs \
  -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie.0,addr=0x6 \
  -drive id=drive_image1,if=none,snapshot=off,aio=threads,cache=none,format=raw,file=nbd:localhost:9000,werror=stop,rerror=stop,tls-creds=tls0 \
  -device scsi-hd,id=image1,drive=drive_image1,bootindex=0
qemu-system-x86_64: -drive id=drive_image1,if=none,snapshot=off,aio=threads,cache=none,format=raw,file=nbd:localhost:9000,werror=stop,rerror=stop,tls-creds=tls0: TLS negotiation required before option 7 (go)
server reported: Option 0x7 not permitted before TLS

The problem?  As specified, -drive is trying to pass tls-creds to the
raw format driver instead of the nbd protocol driver, but before we
get to the point where we can detect that raw doesn't know what to do
with tls-creds, the nbd driver has already failed because the server
complained.  The fix to the broken command line?  Pass
'...,file.tls-creds=tls0' to ensure the tls-creds option is handed to
nbd, not raw.  But since the error message was rather cryptic, I'm
trying to improve the error message.

With this patch, the error message adds a line:

qemu-system-x86_64: -drive id=drive_image1,if=none,snapshot=off,aio=threads,cache=none,format=raw,file=nbd:localhost:9000,werror=stop,rerror=stop,tls-creds=tls0: TLS negotiation required before option 7 (go)
Did you forget a valid tls-creds?
server reported: Option 0x7 not permitted before TLS

And with luck, someone grepping for that error message will find this
commit message and figure out their command line mistake.  Sadly, the
only mention of file.tls-creds in our docs relates to an --image-opts
use of PSK encryption with qemu-img as the client, rather than x509
certificate encryption with qemu-kvm as the client.

CC: Tingting Mao <timao@redhat.com>
CC: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
---
 nbd/client.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nbd/client.c b/nbd/client.c
index b9dc829175f9..f6733962b49b 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -204,6 +204,7 @@ static int nbd_handle_reply_err(QIOChannel *ioc, NBDOptionReply *reply,
     case NBD_REP_ERR_TLS_REQD:
         error_setg(errp, "TLS negotiation required before option %" PRIu32
                    " (%s)", reply->option, nbd_opt_lookup(reply->option));
+        error_append_hint(errp, "Did you forget a valid tls-creds?\n");
         break;

     case NBD_REP_ERR_UNKNOWN:
-- 
2.21.0

Re: [Qemu-devel] [PATCH] nbd/client: Add hint when TLS is missing

[Daniel P. Berrangé]

On Sat, Sep 07, 2019 at 12:20:55PM -0500, Eric Blake wrote:
> I received an off-list report of failure to connect to an NBD server
> expecting an x509 certificate, when the client was attempting something
> similar to this command line:
> 
> $ ./x86_64-softmmu/qemu-system-x86_64 -name 'blah' -machine q35 -nodefaults \
>   -object tls-creds-x509,id=tls0,endpoint=client,dir=$path_to_certs \
>   -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie.0,addr=0x6 \
>   -drive id=drive_image1,if=none,snapshot=off,aio=threads,cache=none,format=raw,file=nbd:localhost:9000,werror=stop,rerror=stop,tls-creds=tls0 \
>   -device scsi-hd,id=image1,drive=drive_image1,bootindex=0
> qemu-system-x86_64: -drive id=drive_image1,if=none,snapshot=off,aio=threads,cache=none,format=raw,file=nbd:localhost:9000,werror=stop,rerror=stop,tls-creds=tls0: TLS negotiation required before option 7 (go)
> server reported: Option 0x7 not permitted before TLS
> 
> The problem?  As specified, -drive is trying to pass tls-creds to the
> raw format driver instead of the nbd protocol driver, but before we
> get to the point where we can detect that raw doesn't know what to do
> with tls-creds, the nbd driver has already failed because the server
> complained.  The fix to the broken command line?  Pass
> '...,file.tls-creds=tls0' to ensure the tls-creds option is handed to
> nbd, not raw.  But since the error message was rather cryptic, I'm
> trying to improve the error message.
> 
> With this patch, the error message adds a line:
> 
> qemu-system-x86_64: -drive id=drive_image1,if=none,snapshot=off,aio=threads,cache=none,format=raw,file=nbd:localhost:9000,werror=stop,rerror=stop,tls-creds=tls0: TLS negotiation required before option 7 (go)
> Did you forget a valid tls-creds?
> server reported: Option 0x7 not permitted before TLS
> 
> And with luck, someone grepping for that error message will find this
> commit message and figure out their command line mistake.  Sadly, the
> only mention of file.tls-creds in our docs relates to an --image-opts
> use of PSK encryption with qemu-img as the client, rather than x509
> certificate encryption with qemu-kvm as the client.
> 
> CC: Tingting Mao <timao@redhat.com>
> CC: Daniel P. Berrangé <berrange@redhat.com>
> Signed-off-by: Eric Blake <eblake@redhat.com>
> ---
>  nbd/client.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/nbd/client.c b/nbd/client.c
> index b9dc829175f9..f6733962b49b 100644
> --- a/nbd/client.c
> +++ b/nbd/client.c
> @@ -204,6 +204,7 @@ static int nbd_handle_reply_err(QIOChannel *ioc, NBDOptionReply *reply,
>      case NBD_REP_ERR_TLS_REQD:
>          error_setg(errp, "TLS negotiation required before option %" PRIu32
>                     " (%s)", reply->option, nbd_opt_lookup(reply->option));
> +        error_append_hint(errp, "Did you forget a valid tls-creds?\n");
>          break;
> 
>      case NBD_REP_ERR_UNKNOWN:

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [PATCH] nbd/client: Add hint when TLS is missing

[Eric Blake]

[-- Attachment #1.1: Type: text/plain, Size: 1744 bytes --]

On 9/9/19 4:13 AM, Daniel P. Berrangé wrote:
> On Sat, Sep 07, 2019 at 12:20:55PM -0500, Eric Blake wrote:
>> I received an off-list report of failure to connect to an NBD server
>> expecting an x509 certificate, when the client was attempting something
>> similar to this command line:
>>

>> +++ b/nbd/client.c
>> @@ -204,6 +204,7 @@ static int nbd_handle_reply_err(QIOChannel *ioc, NBDOptionReply *reply,
>>      case NBD_REP_ERR_TLS_REQD:
>>          error_setg(errp, "TLS negotiation required before option %" PRIu32
>>                     " (%s)", reply->option, nbd_opt_lookup(reply->option));
>> +        error_append_hint(errp, "Did you forget a valid tls-creds?\n");
>>          break;
>>
>>      case NBD_REP_ERR_UNKNOWN:
> 
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


Thanks. I should really learn to finish my iotest runs before posting,
because I have to squash this in before queuing through my NBD tree.

diff --git i/tests/qemu-iotests/233.out w/tests/qemu-iotests/233.out
index 24321efa113b..c3c344811b2b 100644
--- i/tests/qemu-iotests/233.out
+++ w/tests/qemu-iotests/233.out
@@ -21,8 +21,10 @@ server reported: TLS not configured

 == check plain client to TLS server fails ==
 qemu-img: Could not open 'nbd://localhost:PORT': TLS negotiation
required before option 7 (go)
+Did you forget a valid tls-creds?
 server reported: Option 0x7 not permitted before TLS
 qemu-nbd: TLS negotiation required before option 3 (list)
+Did you forget a valid tls-creds?
 server reported: Option 0x3 not permitted before TLS

 == check TLS works ==


-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]